Getting Data In

How do you add a timestamp onto a log that has a second counter in the log?



I have a log that has a second counter inside it, 1 2...11... 3601...etc .

So data i have
1 Data XXYXX
2 Data XXYXX
5 Data XXYXX
11 Data XXYXX
3601 Date XXYY

The issues is the log can be given to Splunk on one GO, so it might get 20K links in the same few seconds So I can't use INDEX TIME (As i think it will put all the events into the same few seconds, i need the data to be spread using the seconds in the file)

So i need it to say 3600 seconds is 1 hour and give each event a different time stamp pending on the second counter..... make it more complex :):):).

I don't want the time to go forward into the future — i would like it to start at the end and go backwards — or, set a negative 2 weeks as "0" and go forward...something like that... [Basally i don't want future events from now()]

What i want Splunk to see for TIMESTAMP (Assuming we go back to start of month or something like that)

01/11/2018 12:00:01 1 Data XXYXX
01/11/2018 12:00:02 2 Data XXYXX
01/11/2018 12:00:05 5 Data XXYXX
01/11/2018 12:00:11 11 Data XXYXX
01/11/2018 13:00:02 3601 Date XXYY

Any help would be super super stuff thanks

Cheers in Advance 🙂

0 Karma

Ultra Champion

i think that for index time, youll have to use the datetime.xml to achieve your goals.
you can do it easily at search time, example:

index=<your_index> sourcetype=<your_sourcetype>
| rex field=_raw "(?<seconds_counter>\d+)"
| eval _time = _time + seconds_counter
| more stats and evals to complete your search

hope it helps

0 Karma



In fact i need this to add to a datamodel, so i need to do it on index time if possible.

0 Karma

Ultra Champion

data models are search results ... why not create an eval field?

0 Karma



This is what we did thanks.
In the datamodel we put in if(isnull(GC_TIMESTAMP),_time-2592000+relative_time,_time) .

So relative_time is the seconds and if no time stamp is there we go back 90 days and start from there.


Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...